Connect PAYG instance

In the three major public cloud providers (AWS, GCP and Azure), SUSE:

  • provides customized PAYG product images for SLES, SLES for SAP, etc.

  • operates per-region RMT Servers mirroring repositories for products available as PAYG

This document describes how to connect existing PAYG instance to SUSE Manager server, and gives basic information about credentials collection from the instance. The goal of this connection is to extract authentication data so the SUSE Manager Server can connect to a cloud RMT host. Then the SUSE Manager Server has access to products on the RMT host that are not already available with the SUSE Customer Center organization credentials.

Before using PAYG feature make sure that:

  • The PAYG instance is launched from the correct SUSE product image (for example, SLES, SLES for SAP, or SLE HPC) to allow access to the desired repositories

  • SUSE Manager Server has connectivity to the PAYG instance (ideally in the same region) either directly or via a bastion

  • A basic SUSE Customer Center account is required. Enter your valid SUSE Customer Center credentials in Admin  Setup Wizard  Organization Credentials. This account is required for accessing the SUSE Manager client tools for boostrapping regardless of PAYG instances.

  • If you bootstrap the PAYG instance to SUSE Manager, SUSE Manager will disable its PAYG repositories then add repositories from where it mirrored the data from the RMT server. The final result will be PAYG instances acquiring the same repositories from the RMT servers but through the SUSE Manager server itself. Of course repositories can still be setup primarily from SCC.

1. Connecting PAYG instance

Procedure: Connecting new PAYG instance
  1. In the SUSE Manager Web UI, navigate to Admin  Setup Wizard  PAYG, and click Add PAYG.

  2. Start with the page section PAYG connection Description.

  3. In the Description field, add the description.

  4. Move to the page section Instance SSH connection data.

  5. In the Host field, enter the instance DNS or IP address to connect from SUSE Manager.

  6. In the SSH Port field, enter the port number or use default value 22.

  7. In the User field, enter the username as specified in the cloud.

  8. In the Password field, enter the password.

  9. In the SSH Private Key field, enter the instance key.

  10. In the SSH Private Key Passphrase field, enter the key passphrase.

Authentication keys must always be in PEM format.

If you are not connecting directly to the instance, but via SSH bastion, proceed with Procedure: Adding SSH bastion connection data.

Otherwise, continue with Procedure: Finishing PAYG connecting.

Procedure: Adding SSH bastion connection data
  1. Navigate to the page section Bastion SSH connection data.

  2. In the Host field, enter the bastion hostname.

  3. In the SSH Port field, enter the bastion port number.

  4. In the User field, enter the bastion username.

  5. In the Password field, enter the bastion password.

  6. In the SSH Private Key field, enter the bastion key.

  7. In the SSH Private Key Passphrase field, enter the bastion key passphrase.

Complete the setup process with with Procedure: Finishing PAYG connecting.

Procedure: Finishing PAYG connecting
  1. To complete adding new PAYG connection data, click Create.

  2. Return to PAYG connection data Details page. The updated connection status is displayed on the top section named Information.

  3. Connection status is shown in Admin > Setup Wizard > Pay-as-you-go screen too.

  4. If the authentication data for the instance are correct, the column Status shows "Credentials successfully updated."

If the invalid data are entered at any point, the newly created instance is shown in Admin > Setup Wizard > PAYG, with column Status displaying error message.

As soon as the authentication data is available on the server, the list of available products is updated.

Available products are all versions of the same product family and architecture as the one installed in the PAYG instance. For example, if the instance has the SUSE Linux Enterprise Server 15 SP1 product installed, SUSE Linux Enterprise Server 15 SP2, SUSE Linux Enterprise Server 15 SP3, SUSE Linux Enterprise Server 15 SP4 and SUSE Linux Enterprise Server 15 SP5 are automatically shown in Admin > Setup Wizard > Products.

Once the products are shown as available, the user can add a product to SUSE Manager by selecting the checkbox next to the product name and clicking Add product.

After the success message you can verify the newly added channels in the Web UI, by navigating to Software > Channel List > All.

To monitor the syncing progress of each channel, check the log files in the /var/log/rhn/reposync directory on the SUSE Manager Server.

If a product is provided by both the PAYG instance and one of the SUSE Customer Center subscriptions, it will appear only once in the products list.

When the channels belonging to that product are synced, the data might still come from the SCC subscription, and not from the Pay-As-You-Go instance.

1.1. Deleting the instance connection data

The following procedure describes how to delete SSH connection data of the instance.

Procedure: Deleting connection data to instance
  1. Open Admin > Setup Wizard > PAYG.

  2. Find the instance on the list of existing instances.

  3. Click on the instance details.

  4. Select Delete and confirm your selection.

  5. You are returned to the list of instances. The one that was just deleted is no longer shown.

2. Instance credential collect status

SUSE Manager server uses credentails collected from the instance to connect to the RMT server and to download the packages using reposync. These credentials are refreshed every 10 minutes by taskomatic using the defined SSH connection data. Connection to RMT server always uses the last known authentication credentials collected from the PAYG instance.

The status of the PAYG instance credentials collect is shown in the column Status or on the instance details page. When the instance is not reachable, the credential update process will fail.

When the instance is unreachable, the credential update process will fail and the credentials will become invalid after the second failed refresh. Synchronization of channels will fail when the credentials are invalid. To avoid this keep the connected instances running.

PAYG instance remains connected to SUSE Manager server unless SSH connection data is explicitly deleted. To delete the SSH connection data to the instance, use Procedure: Deleting connection data to instance.

PAYG instance may not be accessible from the SUSE Manager server at all times.

  • If the instance exists, but is stopped, the last known credentials will be used to try to connect to the instance. How long the credentials remain valid depends on the cloud provider.

  • If the instance no longer exists, but is still registered with SUMA, its credentials are no longer valid and the authentication will fail. The error message is shown in the column Status.

    The error message only indicates that the instance is not available. Further diagnostics about the status of the instance needs to be done on the cloud provider.

Any of the following actions or changes in the PAYG instance will lead to credentials failing: * removing zypper credentials files * removing the imported certificates * removing cloud-specific entries from /etc/hosts

3. Registering PAYG system as a client

You can register a PAYG instance from where you harvest the credentials as a Salt client. The instance needs to have a valid cloud connection registered, otherwise it will not have access to channels. If the user removes the cloud packages, the credentials harvesting may stop working.

First set up the PAYG instance to collect authentication data, so it can synchronize the channels.

The rest of the process is the same as for any non-public-cloud client and consists of synchronizing channels, automatic bootstrap script creation, activation key creation and starting the registration.

For more about registering clients, see Client Registration.

4. Troubleshooting

Checking the credentials
  • If the script fails to collect the credentials, it should provide a proper error message in the logs and in the Web UI.

  • If the credentials are not working, reposync should show the proper error.

Using registercloudguest
  • Refreshing or changing the registercloudguest connection to the public cloud update infrastructure should not interfere with the credentials usage.

  • Running `registercloudguest --clean will cause problems if no new cloud connection is registered with the cloud guest command.